1828312 - Assertion failure: typeVreg + 1 == payloadVreg, at jit/shared/Lowering-shared.cpp:100

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect, P1)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

var A = {
  c: function (u) {
    if (u == 0) return 0;
    if (u == null) u = 4294967295;
    return (A.b.c1() >>> 0) % u;
  },
  d: function (v) {
    v instanceof Array;
    if (!v.length) return;
    return v[this.c(v.length)];
  },
  e: function () {},
  f: function () {},
};
function q(n) {
  return A.c(n);
}
x = 1;
FOOBARFOOBAR11 = [""];
function f(d, b) {
  q(x);
  if (d < q(5)) {
    if (q(4)) return A.d([]);
    return A.d([]);
  }
  q(5) == 0;
  function z() {
    f(d - 1, b, i);
  }
  var y = q(1);
  function mc(a) {
    switch (q(3) ? y : q(1)) {
      case 0:
        return a;
    }
  }
  if (i);
  if (q(20) == 0) return mc(mc(z) + "" + mc(z()) + mc(z()));
  switch (q(4)) {
    case 0:
      return mc(mc(z()) + A.d(FOOBARFOOBAR11) + mc(z()));
    case 1:
      return mc(A.d(FOOBARFOOBAR11) + mc(z()));
    case 2:
      return mc("" + A.d(FOOBARFOOBAR11) + mc(z()));
    default:
      mc("" + A.d(FOOBARFOOBAR11) + mc(z()) + mc(z()));
  }
}
function h(b) {
  if (q(b) == 0) return [FOOBARFOOBAR111()];
  return [
    function () {
      q(1);
      return n();
    },
  ][(A.b.c1() >>> 0) % 1]();
}
function n() {
  q(5);
  h(1);
  h(1);
  A.b.c1();
  q(5);
  h(1);
  A.b.c1();
  q(5);
  h(1);
  A.b.c1();
  q(5);
  h(1);
  A.b.c1();
  q(5);
  h(1);
  A.b.c1();
  q(5);
  h(1);
  A.b.c1();
  A.b.c1();
  h(1);
  A.b.c1();
}
function FOOBARFOOBAR111() {
  i = 0;
  q(8);
  q(8);
  q(8);
  q(8);
  q(8);
  q(8);
  q(8);
  q(8);
  q(8);
  q(8);
}
function g() {
  let m1 = new Int32Array([0, 2567483615]);
  let m2 = new Int32Array(624);
  let m3 = 625;
  this.a1 = function () {
    for (let i = 1; i < 615; i++)
      m2[i] = Math.imul(1812433253, m2[i - 1] ^ (m2[i - 1] >>> 30)) + i;
  };
  this.b1 = function () {
    m3 = 20;
  };
  this.c1 = function () {
    if (m3 >= 624) {
      for (kk = 0; kk < 227; kk++) {
        y = (m2[kk] & 2147483648) | (m2[kk + 1] & 2147483647);
        m2[kk] = m2[kk + 397] ^ (y >>> 1) ^ m1[y & 1];
      }
      for (k = 226; kk < 623; kk++) {
        m2[kk] = m2[kk - 227] ^ (y >>> 1) ^ m1[y & 1];
      }
      m3 = 0;
    }
    y = m2[m3++];
    y = y ^ (y >>> 11);
    y = y ^ ((y << 7) & 2636928640);
    y = y ^ ((y << 15) & 4022730752);
    return y ^ (y >>> 18);
  };
}
function p(d) {
  f(d - 1, []);
}
A.b = new g();
A.b.a1();
A.b.c1();
A.b.b1();
A.b.c1();
A.b.c1();
A.b.c1();
A.b.c1();
q(8);
d = q(14);
A.b.c1();
A.b.c1();
h(9);
q();
A.b.c1();
A.b.c1();
A.b.c1();
A.b.c1();
A.b.c1();
A.b.c1();
p(d);
A.b.c1();
A.b.c1();
A.b.c1();
A.b.c1();
A.b.c1();
A.b.c1();
p(11);

js::jit::LIRGeneratorShared::definePhiTwoRegisters (this=0xffffaa68, phi=0xe359a950, lirIndex=0) at /home/skygentoo/trees/mozilla-central/js/src/jit/shared/Lowering-shared.cpp:100
100	  MOZ_ASSERT(typeVreg + 1 == payloadVreg);
(gdb) bt
#0  js::jit::LIRGeneratorShared::definePhiTwoRegisters (this=0xffffaa68, phi=0xe359a950, lirIndex=0) at /home/skygentoo/trees/mozilla-central/js/src/jit/shared/Lowering-shared.cpp:100
#1  0x58ca232a in js::jit::LIRGeneratorShared::defineUntypedPhi (this=<optimized out>, phi=<optimized out>, lirIndex=0) at /home/skygentoo/trees/mozilla-central/js/src/jit/shared/Lowering-shared.h:322
#2  js::jit::LIRGenerator::definePhis (this=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/jit/Lowering.cpp:6749
#3  js::jit::LIRGenerator::visitBlock (this=0xffffaa68, block=0xe359a760) at /home/skygentoo/trees/mozilla-central/js/src/jit/Lowering.cpp:6788
#4  0x58ca2797 in js::jit::LIRGenerator::generate (this=0xffffaa68) at /home/skygentoo/trees/mozilla-central/js/src/jit/Lowering.cpp:6867
#5  0x58b47b43 in js::jit::GenerateLIR (mir=0xf60e0100) at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:1470
#6  0x58b47fcf in js::jit::CompileBackEnd (mir=0xf60e0100, snapshot=0xf3f0a8e0) at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:1559
#7  0x58b49340 in js::jit::IonCompile (cx=0xf7618100, script=..., osrPc=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:1685
#8  js::jit::Compile (cx=0xf7618100, script=..., osrFrame=<optimized out>, osrPc=0x0) at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:1852
#9  0x58b49e76 in BaselineCanEnterAtEntry (cx=0xf7618100, frame=0xffffb400, script=...) at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:1984
#10 IonCompileScriptForBaseline (cx=0xf7618100, frame=0xffffb400, pc=0xf76097b1 "\264\001") at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:2108
#11 0x58b49940 in js::jit::IonCompileScriptForBaselineAtEntry (cx=0xf7618100, frame=0xffffb400) at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:2135
#12 0xe8202b4e in ?? ()
#13 0xe826d8b4 in ?? ()
#14 0xe826c32b in ?? ()
#15 0xe826d508 in ?? ()
#16 0xe826bdb2 in ?? ()
#17 0xe826d90b in ?? ()
#18 0xe826c32b in ?? ()
#19 0xe826d24c in ?? ()
#20 0xe826bdb2 in ?? ()
#21 0xe826d90b in ?? ()
#22 0xe826c32b in ?? ()
#23 0xe826d4bc in ?? ()
#24 0xe826bdb2 in ?? ()
#25 0xe826d90b in ?? ()
#26 0xe826c32b in ?? ()
#27 0xe826d09e in ?? ()
#28 0xe826bdb2 in ?? ()
#29 0xe826d90b in ?? ()
#30 0xe826c32b in ?? ()
#31 0xe826d3e4 in ?? ()
#32 0xe826bdb2 in ?? ()
#33 0xe826d90b in ?? ()
#34 0xe826c32b in ?? ()
#35 0xe822e0c5 in ?? ()
#36 0xe826b8d1 in ?? ()
#37 0xe822e1a5 in ?? ()
#38 0xe81fa7f3 in ?? ()
#39 0x58c1e928 in EnterJit (cx=<optimized out>, code=<optimized out>, state=...) at /home/skygentoo/trees/mozilla-central/js/src/jit/Jit.cpp:104
#40 js::jit::MaybeEnterJit (cx=0xf7618100, state=...) at /home/skygentoo/trees/mozilla-central/js/src/jit/Jit.cpp:213
#41 0x57d40036 in js::RunScript (cx=<optimized out>, state=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:448
#42 0x57d40afc in js::InternalCallOrConstruct (cx=0xf7618100, args=..., construct=js::NO_CONSTRUCT, reason=js::CallReason::Call) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:612
#43 0x57d4167a in InternalCall (cx=0xf7618100, args=..., reason=js::CallReason::Call) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:647
#44 0x57d415f2 in js::CallFromStack (cx=0xf7618100, args=..., reason=js::CallReason::Call) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:652
#45 0x5876a5ca in js::jit::DoCallFallback (cx=0x568d14db, frame=0xffffc1b0, stub=0xf663b72c, argc=1, vp=0xffffc170, res=...) at /home/skygentoo/trees/mozilla-central/js/src/jit/BaselineIC.cpp:1591
#46 0xe820038d in ?? ()
#47 0xe822a392 in ?? ()
#48 0xe822e1a5 in ?? ()
#49 0xe81fa7f3 in ?? ()
#50 0x58c1e928 in EnterJit (cx=<optimized out>, code=<optimized out>, state=...) at /home/skygentoo/trees/mozilla-central/js/src/jit/Jit.cpp:104
#51 js::jit::MaybeEnterJit (cx=0xf7618100, state=...) at /home/skygentoo/trees/mozilla-central/js/src/jit/Jit.cpp:213
#52 0x57d40036 in js::RunScript (cx=<optimized out>, state=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:448
#53 0x57d42eb0 in js::ExecuteKernel (cx=0xf7618100, script=..., envChainArg=..., evalInFrame=..., result=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:845
#54 0x57d4327d in js::Execute (cx=0xf7618100, script=..., envChain=..., rval=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:877
#55 0x57e896d5 in ExecuteScript (cx=0xf7618100, envChain=..., script=..., rval=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:472
#56 0x57e898b1 in JS_ExecuteScript (cx=0xf7618100, scriptArg=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:496
#57 0x57c8b23e in RunFile (cx=0x59400a44 <gMozCrashReason>, filename=<optimized out>, file=0xf771b250, compileMethod=CompileUtf8::DontInflate, compileOnly=<optimized out>, fullParse=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:1098
#58 0x57c8a786 in Process (cx=<optimized out>, filename=<optimized out>, forceTTY=<optimized out>, kind=FileScript) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:1697
#59 0x57c55213 in ProcessArgs (cx=0xf7618100, op=0xffffca90) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:10591
#60 Shell (cx=0xf7618100, op=0xffffca90) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:10815
#61 0x57c4f4fa in main (argc=7, argv=0xffffcc04) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:11247

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/bd4da5d6dfe0
user:        Doug Thayer
date:        Wed Apr 05 05:57:06 2023 +0000
summary:     Bug 1819722 - Monomorphic inlining r=iain

Run with --fuzzing-safe --no-threads --fast-warmup --blinterp-warmup-threshold=0 --ion-warmup-threshold=100, compile with PKG_CONFIG_PATH=/usr/lib/x86_64-linux-gnu/pkgconfig 'CC="clang -msse2 -mfpmath=sse"' AR=ar 'CXX="clang++ -msse2 -mfpmath=sse"' sh ../configure --host=x86_64-pc-linux-gnu --target=i686-pc-linux --enable-debug --with-ccache --enable-debug-symbols --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev c061ec6c908e.

Doug, is bug 1819722 a likely regressor? Setting s-s just-in-case.

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1819722

Comment 2

[Iain Ireland [:iain]]

This is a nice find, but it is not security-sensitive. It's an over-zealous assertion.

In what I can only assume is an absolutely massive CFG, we run out of virtual registers while trying to allocate the second half of a Value phi (on 32-bit). We hit this code, which triggers an abort and returns a dummy value. In definePhiTwoRegisters, we assert that the type and payload registers are sequential, which is not true in this case.

We added a +1 to handle the defineBoxed case here, but definePhiTwoRegisters has an extra assertion. Also, we currently treat definePhis as infallible, which triggers an assertion at the beginning of visitInstruction because we don't expect to have already errored.

I have a patch that fixes the assertions. It's a little interesting that monomorphic inlining leads to such a large number of virtual registers. Doug, do you want to take a quick look at this and see if we're inlining too much stuff?

Comment 3

[Iain Ireland [:iain]]

Attachment: Bug 1828312: Handle running out of virtual registers in definePhis r=dthayer

Comment 4

[Christian Holler (:decoder)]

We are seeing this in automation as well, but I was not able to reproduce any of these. Iain, do you know what makes these potentially non-deterministic and can/should we do something about it?

Comment 5

[Iain Ireland [:iain]]

Hmm, interesting. This particular testcase was completely deterministic for me. It involves very large Ion compilations, so it's possible that you're racing main-thread execution with off-thread compilation?

Comment 6

[Pulsebot]

Pushed by iireland@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6fe78ed77545
Handle running out of virtual registers in definePhis r=dthayer

Comment 7

[Cristina Horotan [:chorotan]]

https://hg.mozilla.org/mozilla-central/rev/6fe78ed77545

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:iain, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox113 to wontfix.

For more information, please visit auto_nag documentation.

Comment 9

[Iain Ireland [:iain]]

This patch only changes assertions, shouldn't have any effect on release builds, and doesn't need uplifting. We could consider uplifting Doug's follow-up patch in bug 1828541, though.